On July 17, 2020, Proofpoint researchers notified the return of threat actor TA542 and the Emotet malware. Before TA542’s return on July 17, 2020, it were last seen on February 7, 2020. This 161-day hiatus was the longest known break for this threat actor group. TA542 email campaigns are the most prevalent by message volume.
The researchers at Proofpoint have seen consistency with past campaigns as well as some notable changes to the Emotet campaigns. They have confirmed large volumes of malicious email and the key changes made to TA542 include expanded targeting of countries using native language lures and a switch to a new Qbot affiliate.
The researchers have seen over 7 million messages over a 40-day timespan while they saw over 6 million messages over 20 days in the January/February 2020 campaigns. The summer campaigns usually have an average volume of just over 180,000 messages per day compared to over 300,000 per day for the January/February 2020 campaigns. For all of 2020 so far, they have seen over 13 million messages linked to Emotet.
Another area of consistency with previous Emotet campaigns is how malicious email messages are sent to a wide variety of industries and organizations around the world.
One key change in these campaigns is TA542 has expanded the geographic distribution of their malicious email messages and the languages used in lures.
In these latest campaigns, TA542 has expanded their targeting to also include: Finland, India, Indonesia, Norway, Sweden, The Netherlands, The Philippines and Vietnam
New languages added by TA542 in these campaigns include: Hindi, Indonesian, Philippine Languages, Swedish, Norwegian, Finnish, Dutch and Vietnamese.
This summer TA542 have opted to use Qbot to configure/install Emotet. Qbot, a banking malware and a backdoor connects to a remote server, allowing an attacker to access the infected system. It can steal information including banking and financial information as well as logging keystrokes, enabling it to steal usernames and passwords.
In their summer campaigns, TA542 continues to use a tactic seen in past Emotet campaigns of “thread hijacking,” the practice of inserting malicious emails into existing, ongoing email threads to make the malicious emails seem more legitimate. These campaigns also utilize COVID-19 themes in some of their lures. Further, while TA542’s hiatus began before the COVID-19 pandemic became widespread, TA542 was a very early adopter of COVID-19 themed lures, using them in January 2020.
This latest series of campaigns show a mixture of careful, methodical expansion of tactics and techniques that have been successful in the past. TA542 combines their capacity for massive malicious email campaigns with an expanded capacity for geographic distribution and localization of lures into even more native languages. Based on past experience the researchers at Proofpoint expect TA542 to continue their pattern of massive campaigns punctuated by breaks followed in turn by a return to activity that includes some moderate changes that expand their reach and effectiveness.